The lawsuit, first filed last June, takes Sony to task for failing to protect users' information using industry standard practices, which exposed those users to undue risk of identity theft and fraud. Though the core PSN service is free, the lawsuit also sought restitution for lost access to paid services such as Netflix, MLB.tv, and NHL Gamecenter, which were unavailable through the PS3 while PSN was down for over a month following the hacking incident.

But district judge Anthony J. Battaglia's ruling [PDF via courthouse News] rejected most of the plaintiffs' arguments, saying, in essence, that Sony never promised their service would be perfect. In fact, the ruling specifically cites a clause in PSN's privacy policy warning users that "there is no such thing as perfect security" and "we cannot ensure or warrant the security of any information transmitted to us through [the PSN]," obviating the suit's claim that Sony misled consumers or committed fraud itself.

Judge Battaglia also notes that Sony's terms of service clearly state that "no warranty is given about the quality, functionality, availability, or performance of Sony Online Services, or any content or service offered on or through Sony Online Services." Thus, the company was under no obligation to provide "continuous and uninterrupted service to either the PSN or prepaid third-party services." Furthermore, the plaintiffs were unable to prove any specific harm of identity theft or personal fraud stemming directly from the data breach.

While the plaintiffs will have until November 9 to amend a number of their complaints, the ruling effectively guts the most salient arguments against Sony in the matter. Ultimately, this should protect the company from any further damages from the hacking incident.

Kyle Orland
Kyle is the Senior Gaming Editor at Ars Technica, specializing in video game hardware and software. He has journalism and computer science degrees from University of Maryland. He is based in the Washington, DC area. Emailkyle.orland@arstechnica.com//Twitter@KyleOrl

60 Reader Comments

The judges rulling flies in the face of the suits in question. No one expected "Perfect Security". They simply expected standard security. A locked front door isn't perfect. But its better than leaving a door unlocked entirely.

Thats what Industry Standard means. And that is an outright failure on Sony's part. To equate Industry Standard with "Perfect Security" is to create the illusion that Industry Standard security in unattainable. Which is patently false.

Pardon my hyperbole, but does this now mean that companies can add in some text to their user agreement which alleviates them of responsibility for when their products fail? How does that work? Car brakes. Baby seats. safety glasses.

Maybe Sony should be forced to publish its security plan in the user agreement so that consumers can use that information to determine whether they want to use Sony's services. Otherwise, the consumer is forced to trust the company and its security practices. When that company fails, it should have to pay retribution for the product lost.

Sony never promised to Support "Other OS" either.Sony never Promised Not to put Rootkits on your Computer.Is anyone Surprised by this new Case.I personally do not buy any Sony Gear...............Don't know about the rest of you.

I wrote Sony off a long time ago. I used to be a Sony fanboy. They used to be the leaders in the console market. Now they are playing catch up and not doing a very good job at it. I don't see any reason to give them my credit card or any personal information. The change makes me sad and a little angry.

Pardon my hyperbole, but does this now mean that companies can add in some text to their user agreement which alleviates them of responsibility for when they're products fail? How does that work? Car brakes. Baby seats. safety glasses.

Generally speaking, there has to be some type of defined "loss" for a company to be sued. In general liability (car brakes, baby seats, etc), this would be either bodily injury or property damage. If the brakes fail, the manufacturer (their insurance company) would pay for any resulting bodily injury to the customer, third parties as well as property damage.

However this would fall more under "cyber liablity" or "professional errors & omissions liablity". In these cases BI and PD are considered, as well as financial losses. I think the key in this ruling was that none of the plaintiffs actually suffered from stolen identities, or at least that's how I read the article. If a plaintiff did suffer financial losses due to the PSN being hacked, the case should go forward. They could sue for gross negligence but it appears the judge booted that with his "perfect security" statement.

All that being said, this ruling is complete crap - no one expects perfect security but that doesn't mean any company can simply disclaim their liability to protect customers' privacy.

Also, as a liability underwriter, I want to point out to folks that this rulnig was likely the result of a judge way in over his head regarding *technology*. This will in no way set precedents to enable companies to disclaim liability for "real world" incidents. It's sort of like patents, most judges just don't get it, and we end up with BS rulings. However to use the car brakes example, no amount of warning, disclaimers, sign-offs, etc will negate the manufacturers' liability. They can try, but it won't work. All of those signs you see in parking lots saying "park at your own risk" don't hold any weight in court. Neither would a liability disclaimer for car brakes.

The Judge's ruling puts the onus of responsibility on the users to "read the fine print". This is, for many, an absurd statement for reasons others will elaborate on.

The interesting implication is whether continued breaches like this will force users to read the fine print and then actually decline services with such wording.

As goreproductions illustrated, an oft unconsidered "option" is to not get a service. While it is generally considered to be farcical that even a significant portion of users will take the time to read the fine print, these absurd rulings might serve as notice to the trusting souls out there that no agreement can be taken lightly.

Likely it will just cause the agreements to take on different forms to bypass evolving user knowledge / expectation, but at least the nature of the problem is changing. And that is a Good Thing (TM) even if the steps taken to get there are particularly painful.

The judges rulling flies in the face of the suits in question. No one expected "Perfect Security". They simply expected standard security. A locked front door isn't perfect. But its better than leaving a door unlocked entirely.

For some reason, I'm reminded of that Canadian law where you must roll up your windows or get a ticket for not securing your vehicle from theft. It might be a "blame the victim" law, but that's entirely what you are trying to convict Sony of breaking. While they took so much effort to secure profits for themselves with DRM, they certainly didn't give any effort to secure their customers' data with the plaintext mantra.

So, should we punish the victim? Or, rather, the one who assisted in others being victimized?

For some reason, I'm reminded of that Canadian law where you must roll up your windows or get a ticket for not securing your vehicle from theft. It might be a "blame the victim" law, but that's entirely what you are trying to convict Sony of breaking.

The law doesn't say that, it was just an instance of one cop being an overzealous semi-literate tool. The law is there to keep you from leaving the keys in while unattended. The cop backed down and gave a "warning" instead, because if it went to court he'd lose and in all likelihood get a tongue lashing for being an idiot.

It would appear that the judge has no issue with Sony being liable for proven damages. Not having access to their service or third party sites via their service isn't quantifiable damage in legal terms. If they can produce a list of PSN users that can demonstrate that they were victims of identity theft due to the security breach, then Sony would be liable, otherwise it's just people complaining about not having the core service that Sony was providing for free and an additional route of access to other online services that aren't directly tied to Sony's network.

There is a huge gap between "not providing perfect service" in terms of uptime and the type of service disruption which occurred. Even with a clause in the contract (as much as those ridiculous documents might be considered such or not in a consumer space), it shouldn't trump the reasonable expectations of the consumer, nor the consumer's rights.

Even if the consumer has been warned that there may be service outages (a perfectly valid disclaimer) you would still, I would think, have to consider the reasonableness of said outages versus expectations and other statements (marketing/etc) made. In light of that, the outage was unreasonable and should not have fallen under purview of being protected by the disclaimer. There is a vast difference between "we might not have 100% uptime" to "we may go down for up to a month at a time" and just because you have communicated the former does not mean you have in turn communicated or properly disclaimed the latter.

The same applies to the security issue. It's reasonable to expect that certain precautions in line with industry SOP would have been taken, which, in Sony's case, weren't. Even in light of the disclaimer this should still be the case.

Disclaiming is supposed to be a matter of notifying, not some blanket panacea to liability for things like negligence. Except, apparently, this judge feels it should be when it's thrown in some huge document that randomly gets changed at various times and which one side had access to lawyers to craft but is expected to be read in the home by laypeople without consultation with an attorney while in the process of trying to get past the document to do some task, not simply when there is available time to sit down and peruse it indepth, assuming even half of their customers are actually capable of fully understanding all of said document's contents and ramifications, not to mention that it wasn't presented at time of sale with the physical device which requires said service to function.

Yay for once again throwing consumer's rights out the window.

Post purchase TOS agreements and EULAs in their current states are absolutely disgusting, even for services. There really needs to be some standardizing and reform akin to the credit card reform bills which were passed to try deal with predatory lending agreements hidden in fine print.

Shouldn't Sony be responsible for this kind of stuff, especially the 3rd party stuff, because not too long ago with that whole Geohotz thing they pushed a patch that forced users off a linux build and onto the vanilla sony OS. With that included the need to sign into the PSN to use any network services, so if the PSN goes down you can't do anything on-line any more. They effectively removed any way to get around that because it was a "security risk" so when they go down and make you unable access any other service, should they not be held accountable?

It would appear that the judge has no issue with Sony being liable for proven damages. Not having access to their service or third party sites via their service isn't quantifiable damage in legal terms. If they can produce a list of PSN users that can demonstrate that they were victims of identity theft due to the security breach, then Sony would be liable, otherwise it's just people complaining about not having the core service that Sony was providing for free and an additional route of access to other online services that aren't directly tied to Sony's network.

Exactly. A few spoilt kiddies lost out on using extraneous online services on their expensive toys for a few days. Whoop-de-doo.

Don't expect any rational discussion here on Ars where there is a completely and utterly irrational hatred of everything Sony -- FFS people on this site were leaping with joy when Sony were hacked.

If they can produce a list of PSN users that can demonstrate that they were victims of identity theft due to the security breach, then Sony would be liable

It is very unlikely that any of the PSN customers could demonstrate that their identity theft or monetary loss was solely as a result of this breach in particular (How many online services do you use Mr. Doe, do you have an itunes, amazon, newegg, steam account? Have you ever used this credit card anywhere else, like, say your local gas station?) -- actual damages are essentially unprovable.

If they can produce a list of PSN users that can demonstrate that they were victims of identity theft due to the security breach, then Sony would be liable

It is very unlikely that any of the PSN customers could demonstrate that their identity theft or monetary loss was solely as a result of this breach in particular (How many online services do you use Mr. Doe, do you have an itunes, amazon, newegg, steam account? Have you ever used this credit card anywhere else, like, say your local gas station?) -- actual damages are essentially unprovable.

I would think Sony should be Liable for any damages the breach caused. At that point it's up to the people to show the breach caused them damage. Burden of proof should be on the plaintiff, not the defendent.

The way this reads is that even if every person had their identity stolen, you can't blame Sony, they did their due diligence securing private data .

The way this reads is that even if every person had their identity stolen, you can't blame Sony, they did their due diligence securing private data .

uhm, yah that's not what I was saying at all. Where in the hell did you get "you can't blame Sony" from what you quoted?

I was attempting to point out how specific damages aren't useful, in reply to what J1time wrote up there before me. After all, how would you KNOW the $500 in fraudulent charges that suddenly showed up were specifically due to Sony's breach? You wouldn't. And that's inadequate.

I'm increasingly of the opinion there needs to be some sort of statutory minimum for large scale breaches like this where data was stolen and the harm is too difficult to directly prove and too large to quantify.

Sony is terrible and deserving of boycott, but this ruling is correct.

The problem is that the plaintiffs have failed to demonstrate that any damages have occurred. Yes, the service was hacked, and yes, the e-mails and passwords were leaked, but the plaintiffs have not established a strong correlative link between the data breach and any systematic damages, either physical or financial. At best, all that's been shown is that people wound up getting more spam, or people had to change their passwords, but these are not damages because they do not directly correlate to money lost or harm incurred.

The data breach obviously made people angry. It made me furious; I sold my PS3 immediately following when Sony changed their contract to force arbitration [I know the other services do this, too, but Sony's was onerous in that you were forced to a venue favorable to them, whereas Microsoft will actually pay your arbitration claim fees]. But the courts are not for exacting personal grudges against a business; they're for leveling harms that have occurred. And when the plaintiffs come to the table and say little more than "We're unharmed but that this thing happened," they're going to lose the case.

That's what makes this different than a products liability case. When brakes fail, there's a very cognizable harm that occurs. So Sony is free to disclaim any warranty of service in the contract so long as in doing so, their breach doesn't actually harm anyone. The harm here, as plaintiffs have alleged at least, is tenuous and speculative. Sony may have failed to resort to best efforts (or even reasonable efforts) to secure their servers, but we agreed to that risk contractually. Consider them slimy loan sharks with onerous repayment fees -- it may be immoral, it may be wrong, but it's not necessarily illegal unless you can invalidate the contract by showing it was so one sided that it "shocks the conscience." And nothing in Sony's contract was so unreasonable as to make it inherently illegal.

Note that the judge isn't throwing the case out. Rather, the judge is simply telling the plaintiffs to go back and rewrite their claims to demonstrate that there is a legal issue to be disputed, i.e. show that a harm has occurred not properly disclaimed by the contract.

Edit: One more point. Do we really want to promulgate a rule that sysadmins or providers of internet services should be presumed liable for data breaches? Do all of us who develop and provide programs always use best practices? And should we really presume guilt on behalf of the service provider until innocence can be proved?

It would appear that the judge has no issue with Sony being liable for proven damages. Not having access to their service or third party sites via their service isn't quantifiable damage in legal terms. If they can produce a list of PSN users that can demonstrate that they were victims of identity theft due to the security breach, then Sony would be liable, otherwise it's just people complaining about not having the core service that Sony was providing for free and an additional route of access to other online services that aren't directly tied to Sony's network.

Exactly. A few spoilt kiddies lost out on using extraneous online services on their expensive toys for a few days. Whoop-de-doo.

Don't expect any rational discussion here on Ars where there is a completely and utterly irrational hatred of everything Sony -- FFS people on this site were leaping with joy when Sony were hacked.

Of course there isn't going to be a rational discussion here when YOU consider 77 MILLION affected accounts as "a few", generalize everyone that was affected as "kiddies", and again turn 24 days of downtime in to "a few days". Are you by chance a politician? Or work for the MPAA/RIAA? Because your numbers are way off base.

On to the non-existent rational discussion...here on Ars.

Did Sony do everything they could to protect their user base, no. Like most companies out there, they settle for good enough and this is an example of what happens. Now like others have said, if the affected users can prove damages incurred, then I can see a case against Sony. Sony at least got out in front of the ball and was offering some type of compensation and a yr of identity theft protection covered by a $1 million ID theft policy. That's more than other companies can say. The problem I have with the PSN and other console networks, is that unlike banking where you can just move to a new bank after a security breach, there is only one PSN/Xbox Live and trust is all or nothing. You either trust Sony/MS to keep your information private, no matter the cost of the service, or you don't use the service. EULA are becoming more and more important for companies as a way to keep their hands clean in dirty situations.

The way this reads is that even if every person had their identity stolen, you can't blame Sony, they did their due diligence securing private data .

uhm, yah that's not what I was saying at all. Where in the hell did you get "you can't blame Sony" from what you quoted?

I was attempting to point out how specific damages aren't useful, in reply to what J1time wrote up there before me. After all, how would you KNOW the $500 in fraudulent charges that suddenly showed up were specifically due to Sony's breach? You wouldn't. And that's inadequate.

I'm increasingly of the opinion there needs to be some sort of statutory minimum for large scale breaches like this where data was stolen and the harm is too difficult to directly prove and too large to quantify.

I got it from the article, I'll try to remember to include the article next time.

Statements the judge makes repeatedly such as

Quote:

no warranty is given about the quality, functionality, availability, or performance of Sony Online Services, or any content or service offered on or through Sony Online Services."

suggests that if there is not a given warranty, companies are not responsible. I get what the judge tries to say, but it isn't what they judge specifically says, and that's an important and easily abused distinction in law.

The problem is cause and correlation. A victim of fraudulent charges to his bank account is not indicative of a specific security breach, whether or not the victim was also a victim in that case. You could be a victim of a security breach at one publicly shamed service but might also be prone to issues related to another, yet undisclosed security breach at another service. How many of these victims are at intersections of such coincidental circumstances? The internet is big, everyone has got their hands dirtied in practically every area possible, and it's easy for the swayed masses to believe in singularity events.

And nothing in Sony's contract was so unreasonable as to make it inherently illegal.

Except you also need to consider that Sony's "contract" is entirely one sided, and in turn all but predatory in that use of the purchased hardware requires use of the service, which requires agreeing to the entirely non-negotiable terms which are presented after the point of sale of the hardware, which are routinely modified by Sony with no recourse to the consumer to negotiate said modifications, and in no way could be considered accessible to the intended audience of said terms.

Meanwhile, the contract attempts to basically provide a win-win scenario for Sony: they can charge for the service but have practically no responsibilities regarding said service, according to their own disclaimers. Reading Sony's contract as protecting Sony against the situation which DID arise, given the circumstances of said situation, would actually be seen as quite unreasonable, if people agreeing to said contract were supposed to assume it would cover said events and circumstances.

Nothing is ever 100% free of defects, and it would be unreasonable to hold such an expectation short of such a thing being warrantied. However, consumers are supposed to be covered by fair dealing laws (lemon laws, etc) and in terms of fair dealing, a certain level of expectation of reasonable service does exist, which is magnified by the nature of the service offered, the scope of the service, and the owner of the service. What is a reasonable expectation of a national lawn service company may not be of the twelve year old down the street using a borrowed mower, and vice versa. The question to me is whether Sony's failures represent a reasonable defect or an unreasonable failure to provide fair dealing with their customers.

Granted that's a difficult and thorny path legally, but personally I feel like they failed in dealing fairly, that their TOS were essentially predatory, and that allowing their disclaimers to stand in such a situation and circumstances or for the EULA/TOS to stand as an actual contract is enforcing a very predatory practice which is severely erroding consumer rights, especially given the spaces it is most often being used in. It's one thing to say "hey, we're not perfect." It's another to say "we can screw up however badly and for any reason and you're screwed, sorry you decided to choose us."

I'm not a lawyer, I haven't read the related briefs or the ruling in full, so I'm not going to come down on the judge about this, it just strikes me as being a wrong in terms of real justice and in terms of consumer rights. Personally I think Sony's actions in this completely fail the reasonable expectations test, and while I hardly think it merits a huge payout for all and sundry, I do think there is some level of recompense deserved past what Sony tossed out, or at least different from it.

I'm more than willing to acknowledge that in terms of actual damages, there is a point to be made and it does stand to reason that particularly on certain matters damages should be shown. I just also believe there is another fundamental issue at stake which is a genuine grievance deserving legal remedy. Whether that's actually the case is of course another matter, but it is how I feel about it. In that sense, my personal concern is less the case in particular and more the pattern at large.

Care to elaborate? We have a lot of people here commenting about industry standard practices. You think that concept is irrelevant?

Industry practices are not legally binding practices.

That is not true, many times, especially in contract law industry standards indeed become the legal standard by which performance is measured against. It didn't happen in this case, but that doesn't mean it doesn't happen at all.

Edit: One more point. Do we really want to promulgate a rule that sysadmins or providers of internet services should be presumed liable for data breaches? Do all of us who develop and provide programs always use best practices? And should we really presume guilt on behalf of the service provider until innocence can be proved?

THIS x111111111

Seriously, all of you guys bitching in this thread. Do you wish to be held to the same standard your holding sony too?

I doubt it. At that point it becomes legally dangerous to write any sort of app. If you fuck up and some data manages to get out.... Do you want to spend the rest of your life paying off a civil judgement from a few pissed off users?

Or hell lets make this even better, can i sue people because they didn't follow their companies SOP and got virus infected surfing and their contact list got stolen and now gets spammed to death due to their negligence?

If they can produce a list of PSN users that can demonstrate that they were victims of identity theft due to the security breach, then Sony would be liable

It is very unlikely that any of the PSN customers could demonstrate that their identity theft or monetary loss was solely as a result of this breach in particular (How many online services do you use Mr. Doe, do you have an itunes, amazon, newegg, steam account? Have you ever used this credit card anywhere else, like, say your local gas station?) -- actual damages are essentially unprovable.

I would think Sony should be Liable for any damages the breach caused. At that point it's up to the people to show the breach caused them damage. Burden of proof should be on the plaintiff, not the defendent.

The way this reads is that even if every person had their identity stolen, you can't blame Sony, they did their due diligence securing private data .

It reading that way is either a result of preconceived opinions of the reader, or somewhat unclear writing by the author. I would say the most important line in the article is:

"Furthermore, the plaintiffs were unable to prove any specific harm of identity theft or personal fraud stemming directly from the data breach."

The law requires that plaintiff prove specific damages, which this suit has failed to do. If the ToS and EULA terms protected Sony fully (as most posters here seem to be trying to imply) the plaintiffs would not be allowed to amend and resubmit the suit. Since the article explicitly notes they can resubmit, it's strongly evident that the lack of damages is the primary driver for the rejection of the suit.